10 August, 2007 by rhesus12
I wasn’t as aware as I should be about some of the privacy implications of e-Government until I read Privacy Commissioner Marie Shroff’s presentation to this year’s GOVIS conference. While I have confidence in the State Services Commission’s current emphasis on Privacy Impact Assessments (PIAs), especially in its Authentication Programme (where the issues include data security – your data – and who in government gets to see and use it), things are moving fast and the playing field is getting wider.
Two of the big areas seem to be, what happens to your data when government starts working more with businesses and NGOs to provide online services? And will the fun we’re all having with YouTube and Facebook culture see us build our own 21st Century Panopticon?
The point is that in something developing as quickly as e-Government, potential problems arise from unexpected quarters all the time. Bear in mind that e-Government is about the transformation of government, how it does its work and what our relationship with it as citizens is. Its not just about digitizing existing agency services or setting up websites. This means cultural change, not just bureaucratic process improvement.
To take an extreme scenario, government becomes a mass of carefully packaged data pieces. When you login to the government portal (via security provided by the Authentication Programme) you would call up a “virtual agency”, one that exists instantly and only in cyberspace, is tailored to your specific query, and ceases to exist once you log off. It relies on data sharing between government bodies (and NGOs and businesses – see below). This is a good thing. The privacy implications of this and other less-automated set ups seem obvious.
I’m pretty happy about the SSC’s answer so far, which seems to involve the progressive issuing of PIAs and other instruments. As the Privacy Commissioner says, the answer will come more in the form of adaptable regulation rather than potentially monolithic legislation. Here’s a summary of the SSC’s PIA for the Government Logon Service (GLS):
- Conduct further PIAs if the system changes such that any participants collect additional personal information.
- Limit the GLS to government agencies.
- Comply with the Privacy Act to inform individuals when collecting personal information.
- Give users security tips, including links to spyware-removal software; and inform them immediately of specific threats.
- Carefully evaluate business procedures for reissuing or revalidating category-two authentication keys.
- Develop robust and responsive complaint procedures.
- Comply with the Privacy Act to respond to requests for access or changes to personal information.
- Develop policies for retaining information and for closing accounts and disabling keys.
But Shroff raises a couple of interesting issues not covered by this approach (nor intended to), mainly because they involve data-matching and the mirroring overseas of personal data by the business sector, and the no-holds-barred, upload-it-YouTube world of Web 2.0 social networking (that’s MySpace, Flickr, delicious, Beebo, etc).
Where the actors are purely commercial the issue seems more manageable through updates to law and regulation. The challenge seems to be keeping up with and in some cases, uncovering, developments. Shroff lists several examples, one of which is:
Credit reporting company Veda Advantage, (formerly Baycorp Advantage) has been developing plans to store its financial and credit information about pretty much all of us, on its databases in Australia. Those plans have hit some road bumps because of jurisdictional issues: whose law would apply to the information – our Credit Information Privacy Code – or the Australian law? On the one hand, the information is about New Zealanders, but on the other hand, it would be stored in Australia.
What is clear is that whilst the problems of information sharing are not entirely new, their significance has grown, and will continue to do so. New players, in particular the private and voluntary sector, don’t just deliver public services on behalf of the state but also provide individual, tailored, services. As these roles merge, the consequence is unprecedented amounts of personal data passing amongst individuals; between individuals and organisations; between state and individual; between state and the private sector; and between individuals and the private sector.
Add to this our potential to become our own Big Brother. Shroff quotes a report from the (British) Royal Academy of Engineering:
‘Big Brother’ will [potentially] end up being more powerful than Orwell envisaged (in the sense that we will have far less individual privacy), though it may not be government that will be empowered. In a world of matchbox-sized camcorders and camera-phones, of always-on broadband and RFID, ordinary people (not a government agency, supermarket or the police) will be the nemesis of privacy. The Internet has the potential to democratise and decentralise Big Brother, as it democratises and decentralises many other phenomena; Big Brother may be ‘us’, not ‘them’.
There’s another emerging Web 2.0 privacy and information security issue. Can we trust the owners of these social networking and related companies (Google, mySpace etc) with our private data? No. Do we? Mostly. This is how Demos puts it:
It’s interesting to think about the ways that web 2.0, which is usually thought of as being largely about giving people great tools to create, share and understand, might be rooted in some way in how organisations control – or host, compile, aggregate – large banks of data or information.
Its interesting to note that Shroff downplays the chances of any government-controlled surveillance state (without dismissing it all together). Instead, she highlights what she calls increasing “privacy pollution” – a sort of incremental smog from all areas (government, business, social).
Sounds pretty plausible to me. I’m not losing sleep about the government’s role (call me niave but I think they have the intentions and awareness to deal with this as well as anyone else). But trite as it is to say, its all moving very quickly and most of the issue’s defining boundaries are blurring.